On CyberWar

This is the longer draft of a short piece I did for the just-released Delayed Gratification.Before the Wikileaks stuff happened incidentally, so I was prescient about 4Chan.

Undersea Cable

Missile weapons, phalanxes, military organisation, artillery, ironclads, dreadnoughts, machine guns, submarines, and finally nuclear weapons. These are all shifts of technology that led to shifts in international power, making the ultimate weapons of their time obsolete. Rifled guns eradicated knights, ironclads wiped out galleons, like lightning against tin hats.

Cyberwarfare is the latest technological shift. Simply put, it’s an aggressive action using computer technology. It’s mostly a threat to networked devices, so an obvious defense would seem to be to not connect your machines to the Internet, especially not important ones. Yet, the two biggest infections of recent years (this year’s Stuxnet attack on Iran and 2008’s total infection of the US Central Command) were both started by USB sticks. Moreover, as we’ll see, aside from isolating your computers, the physical infrastructure of the Internet is itself vulnerable to everything from fires to enthusiastic hoeing.

The UK government thinks Cyber attacks are such a huge threat that, even in the midst of the biggest public service retrenchment since Henry VIII burnt half his cabinet, they’ve just allocated an extra £650 million to defending against it, and rated it as a Tier 1 threat – that means we should be more scared of it than nuclear, chemical, biological or radiological attacks. Meanwhile, the US government has admitted that hackers steal enough data from US agencies, businesses and universities to fill the library of congress many times over.

The varieties of cyberwarfare range from the brute force, such as the ‘DDOS’ (distributed denial of service) employed by Russian bot-nets and angry forum users, to national networks such as the Chinese Titan Rain hacking system or Russian Moonlight Maze, to the highly targeted Stuxnet (the culprit of which is unlikely to be known until we accidentally hack whoever it was back). You can see from this that normal governmental cyberwarfare is not qualitatively different from normal hacking and virus-creation – Stuxnet is only thought to be governmental because of the use of rare, valuable vulnerabilities.

Stanislav Petrov

Who are the great powers in the world of cyberwarfare? An anonymous industry expert we contacted pointed to “nation states, organised criminal organisations and (defensively) some large organisations (especially in financial services)” as the major actors. Unlike economics, where a company or country can use a small number of experts to dominate a market, or a small lobbying firm to distort a market, what’s required to be a major power is large numbers of committed technical experts. So cyberwarfare gives disproportionate power to mass movements that include technical types, for example cyber vigilantes like Wikileaks or the huge, juvenile anarchist community 4chan.

Despite its apparent technological expertise, most of the United States’ technology production and know-how was long ago outsourced to the Far East; so compared to its dominance in almost every other field (it spends 45% of the world’s total military spending), it has been relatively weak in Cyberwarfare. So how do they plan to defend against it? Former US Homeland Security secretary Michael Chertoff suggested in October that Cyberwarfare is best opposed by open protocols, similar to but not quite at the level of mutually-assured destruction (MAD); “…it’s important to define when and how it might be appropriate to respond,” explained Chertoff. “Everyone needs to understand the rules of the game.”

Sadly, as our expert points out, it’s very easy to establish protocols, but there are three major problems. Firstly, this is such a mutable field, that these protocols would either have to be really wide-ranging, or very vague to deal with the rate of technological change. Secondly, there are so many ongoing attacks (with more than 100 foreign intelligence agencies trying to hack into US military digital networks, and over 1000 attacks a month) that determining which ones justify a response isn’t clear. “Any attack needs to cause (or be about to cause) real world damage.” If that could be established a response would then follow existing international treaties.

Sadly, the third problem is the biggest. “The fundamental difficulty at the moment in establishing a cyber response doctrine is the difficulty of definitive attribution of any cyber attack (including intelligence gathering operations).” says our source. “At a very recent conference I attended there was strand of thought developing that attribution might always be largely impossible without fundamental changes to the structure to the Internet, with detailed monitoring of any cross-border traffic.” Without such a change, no government can attack on good faith – data is faked so easily, that “Any web-based attack can be launched from computers all over the world.” Still, Chertoff talked of attacking anyway to remove the node the attack was coming through – even if that node was blameless.

Sub-saharan Undersea Cables in 2012

Even if all that’s solved, you have to rely on the protocols being carried out – as the case of Stanislav Petrov shows. He was a Russian bunker commander in 1983 when his (broken) systems told him that nuclear war had broken out; he thankfully, refused to launch his missiles, against the doctrine of MAD, but undermining the whole point of the protocol. A protocol that’s not carried out is worthless – and neither men nor machines can be relied upon.

So what defenses do we have? Well, less advanced nations have a slight advantage. As William Lynn, US Undersecretary of Defense, pointed out recently, dispersed, complicated and messy systems, like the US power grid, are protected by their complexity and lack of connection. Conversely, anything with remote, internet-based design built-in is really asking for trouble. However, as our expert says “If you know a previously undiscovered vulnerability and/or you can socially engineer a victim into clicking on a link or opening an email then you will always get in.” Undiscovered vulnerabilities are rare in the wild – that was, until Stuxnet used four of them.

That said, computing is still entirely a physical medium – the Internet has not evanesced or apotheosized to exist entirely in the air (yet). “It’s safe to assume that security of the physical infrastructure is a key part of any cyber warfare planning.” says our expert. Key elements of the net exist in the unlikeliest locations; favourite locations for server farms (the great data stores of the internet) are deep, unused mines, and other cold, dry areas. Meanwhile, much of the world’s data is carried through thin undersea cables that are vulnerable to boats anchors and cluster as they come ashore in very few locations – New York, Cornwall, Rio, Singapore, and Mumbai (see image, right.) An still-unexplained accident in 2008 meant that 80 million people across India and the Middle East lost connection.

That’s not the whole story. As Lynn points out, the substrate of the Internet can be compromised too – “The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyber threat.” Back doors and kill switches can be built into software and hardware, not being activated until necessary. If all else fails, seven people worldwide (including one from Bath, Somerset) have been entrusted with keys that reset the internet – assuming that at least five of them can make it to Texas to do it!